VulnerableCode Package Details - pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-4qvq-xv22-xbed Aliases: CVE-2022-30954 GHSA-5m4q-x28v-q6wp	Missing Authorization Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.	There are no reported fixed by versions.
VCID-5bu5-5b6n-nuft Aliases: CVE-2023-24422 GHSA-76qj-9gwh-pvv3	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.	There are no reported fixed by versions.
VCID-7k5m-ys11-mfby Aliases: CVE-2023-1370 GHSA-493p-pfq6-5258	json-smart Uncontrolled Recursion vulnerability Affected versions of [net.minidev:json-smart](https://github.com/netplex/json-smart-v1) are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.	There are no reported fixed by versions.
VCID-j584-bgww-z7fw Aliases: CVE-2022-29599 GHSA-rhgr-952r-6p8q	Command injection in Apache Maven maven-shared-utils In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.	There are no reported fixed by versions.
VCID-myp4-24sf-9yfv Aliases: CVE-2022-40150 GHSA-x27m-9w8j-5vcw	Jettison memory exhaustion Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.	There are no reported fixed by versions.
VCID-sqx4-euc2-myew Aliases: CVE-2022-40149 GHSA-56h3-78gp-v83r	Jettison parser crash by stackoverflow Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.	There are no reported fixed by versions.
VCID-v9jp-s75d-zffs Aliases: CVE-2023-32977 GHSA-2wvv-phhw-qvmc	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.	There are no reported fixed by versions.
VCID-wp9q-eurd-43dx Aliases: CVE-2022-45693 GHSA-grr4-wv38-f68w	Jettison Out-of-bounds Write vulnerability Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.	There are no reported fixed by versions.
VCID-xq5k-dyk9-u3ct Aliases: CVE-2022-30953 GHSA-hgpq-42pf-9vfq	Cross Site Request Forgery in Jenkins Blue Ocean Plugin A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. Blue Ocean Plugin 1.25.4 requires POST requests and the appropriate permissions for the affected HTTP endpoints.	There are no reported fixed by versions.
VCID-yph7-zq7p-j3hz Aliases: CVE-2023-32981 GHSA-6987-xccv-fhjp	Jenkins Pipeline Utility Steps Plugin arbitrary file write vulnerability An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-4qvq-xv22-xbed
Aliases:
CVE-2022-30954
GHSA-5m4q-x28v-q6wp

Missing Authorization Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.